Security Events in WinCC OA
Section | Description |
---|---|
ACCOUNT MANAGEMENT | Log messages for Account Management (password and account changes, session and connection timeout) |
COMMUNICATION INTEGRITY | Log messages for communication and connection events (Manager connection) |
NETWORK AND SECURITY CONFIGURATION SETTINGS | Log messages for network and security configuration settings (http and proxy messages, authorization configuration changes) |
USER IDENTIFICATION AND AUTHENTICATION | Log messages for IACS User Identification and Authentication (login and OS authentication) |
Security Events Information
Security Events Description
A general description of the structure of security events and the severity of the contained information.
Event Log Message Elements
The description of the dedicated security event log messages contain following elements:
- ID
- The unique ID of an event.
- Example
- An example log message to demonstrate the structure and content of the specific log message event.
- Symbolic Structure
-
Each log message contains following elements:
Element Description Source The manager that sent the log message. Contains the type of manager as well as the manager ID. Time Stamp Time information to indicate when the log message was written to the log. Category Message category Type The severity of the raised log messages, see Severity. EventID ID of the event, as used within the _errors.cat
file. If the event message is defined within a different catalogue file, it is also stated with the EventID, e.g.17/OaLogin
for theSE_ACCOUNT_DISABLED
event.Log Message The actual message of the log entry, containing information or details about events or errors that occurred. - Additional Details
- Information that elaborates on the content of the log message. Contains, for example, information about specific elements of the error message, which are dynamically added.
- Test Information (optional)
- To validate if specific events are correctly recognized within your system, this section of the Security Events in WinCC OA provides steps or details on how to trigger the log message and therefore test your system against these steps.
Severity
- Fatal
-
Represents critical failures that will stop the whole manager or even project.
For example: “S7 driver cannot be started” or “Corrupt table structure in project configuration database”
- Severe
-
A software problem that the system cannot handle, but can continue to operate around with limited functionality. This can be caused e.g., by environment problems (e.g. missing resources) or internal programming errors. Severe issues should not occur in released product versions, but if they occur, they are valuable hints for analysis.
For example:
“License not found, using demo license instead”
, “Unable to create/persist alert”
“Unable to load last values from DB”
Note: Errors, which the system can handle (e.g.“Wrong time-format used, using default values instead”
, “NULL time occurred in DB record, using default value instead”) are usually classified as warnings (see below). - Warning
-
A smaller disturbance that the system can handle per design and has no major effect on usability.
For example:
“Connection to PLC is lost, attempting to reconnect”
,“Wrong time-format used, using default values instead”
,“NULL time occurred in DB record”
- Info
-
Stands for information.
For example:
“Connection with PLC was established”
,“Listening on port 1234”, “Manager stop”
ACCOUNT MANAGEMENT
Log messages for Account Management (password and account changes, session and connection timeout)
Area permission created
- ID
- SE_AREA_PERMISSION_CREATED
- Example
WCCOActrl (1), 2023.11.02 13:17:25.888, PARAM,INFO, 26/OaLogin, Area permission created, Area Permission: MyAreaPermission
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (1) | {log time} | PARAM | INFO | 26/OaLogin | Area permission created, Area Permission: {AREA PERMISSION} |
- Additional Details
-
- {AREA PERMISSION}: Area permission name
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Create a new user group or select an existing one in User administration panel
- Create an area permission
Area permission deleted
- ID
- SE_AREA_PERMISSION_DELETED
- Example
WCCOActrl (1), 2023.11.02 13:17:36.334, PARAM,INFO, 27/OaLogin, Area permission deleted, Area Permission: MyAreaPermission
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (1) | {log time} | PARAM | INFO | 27/OaLogin | Area permission deleted, Area Permission: {AREA PERMISSION} |
- Additional Details
-
- {AREA PERMISSION}: Area permission name
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Create a new user group or select an existing one in User administration panel
- Delete the area permission
User account added to group
- ID
- SE_USER_ACCOUNT_ADDED_TO_GROUP
- Example
WCCOActrl (1), 2023.11.02 13:16:11.276, PARAM,INFO, 22/OaLogin, User account added to group, User: MyUser, Groups: root | operatorAll | operator
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (1) | {log time} | PARAM | INFO | 22/OaLogin | User account added to group, User: {USER}, Groups: {GROUPS} |
- Additional Details
-
- {USER}: Name of the user account
- {GROUPS}: Added groups associated with the user account
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Create a new user group or select an existing one in User administration panel
- Change association of the user user and its groups
User account deleted
- ID
- SE_ACCOUNT_DELETED
- Example
WCCOActrl (1), 2023.10.01 10:29:13.655, PARAM, INFO, 18/OaLogin, User account testUser(8) has been deleted.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl ({MANAGER NO}) | {log time} | PARAM | INFO | 18/OaLogin | User account {USER NAME}({USER ID}) has been deleted. |
- Additional Details
-
- {MANAGER NO}: Manager number of manager running the command channel
- {USER NAME}: Name of the user account
- {USER ID}: Internal ID of the user account
- Test Information
-
- Open the User Administration
- Select user, and click on the "Delete" button
User account deleted from group
- ID
- SE_USER_ACCOUNT_DELETED_FROM_GROUP
- Example
WCCOActrl (1), 2023.11.02 13:16:26.165, PARAM,INFO, 23/OaLogin, User account deleted from group, User: MyUser, Groups: operatorAll | operator
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (1) | {log time} | PARAM | INFO | 23/OaLogin | User account deleted from group, User: {USER}, Groups: {GROUPS} |
- Additional Details
-
- {USER}: Name of the user account
- {GROUPS}: Deleted groups associated with the user account
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Create a new user group or select an existing one in User administration panel
- Change association of the user user and its groups
User account disabled
- ID
- SE_ACCOUNT_DISABLED
- Example
WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 17/OaLogin, User account testUser(8) has been disabled.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl ({MANAGER NO}) | {log time} | PARAM | INFO | 17/OaLogin | User account {USER NAME}({USER ID}) has been disabled. |
- Additional Details
-
- {MANAGER NO}: Manager number running command channel script
- {USER NAME}: Name of the user account
- {USER ID}: Internal ID of the user account
- Test Information
-
- Open the User Administration
- Select user, and click on the "Deactivate" button
User account enabled
- ID
- SE_ACCOUNT_ENABLED
- Example
WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 16/OaLogin, User account testUser(8) has been enabled.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl ({MANAGER NO}) | {log time} | PARAM | INFO | 16/OaLogin | User account {USER NAME}({USER ID}) has been enabled. |
- Additional Details
-
- {MANAGER NO}: Manager number for command channel script
- {USER NAME}: Name of the user account
- {USER ID}: Internal ID of the user account
- Test Information
-
- Open the User Administration
- Click on the "Activate" button
- Select user, and click on the "Activate" button
User group created
- ID
- SE_USER_GROUP_CREATED
- Example
WCCOActrl (1), 2023.11.02 13:15:02.115, PARAM,INFO, 19/OaLogin, User group created, Group: MyGroup
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (1) | {log time} | PARAM | INFO | 19/OaLogin | User group created, Group: {GROUP} |
- Additional Details
-
- {GROUP}: Name of the successfully created user group
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Create a new user group in User administration panel
User group deleted
- ID
- SE_USER_GROUP_DELETED
- Example
WCCOActrl (1), 2023.11.02 13:15:17.960, PARAM,INFO, 20/OaLogin, User group deleted, Group: MyGroup
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (1) | {log time} | PARAM | INFO | 20/OaLogin | User group deleted, Group: {GROUP} |
- Additional Details
-
- {GROUP}: Name of the successfully deleted user group
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Delete a new user group in User administration panel
user group permission changed
- ID
- SE_USER_GROUP_PERMISSION_CHANGED
- Example
WCCOActrl (1), 2023.11.02 13:15:39.016, PARAM,INFO, 21/OaLogin, User group permission changed, Group: MyGroup, Authorization level: 00000000000000000000000101010101
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (1) | {log time} | PARAM | INFO | 21/OaLogin | User group permission changed, Group: {GROUP}, Authorization level: {AUTHORIZATION_LEVEL} |
- Additional Details
-
- {GROUP}: Name of the user group
- {AUTHORIZATION_LEVEL}: Name permission for user group
- Test Information
-
- 1. Open WinCC OA administrator
- 2. Create a new project or select an existing one
- 3. Start WinCC OA console
- 4. Create a new user group or select an existing one in User administration panel
- 5. Change permission for selected user group
User password changed
- ID
- SE_ACCESS_PWD_CHANGED
- Example
WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 15/OaLogin, Password of user testUser(8) has been changed.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl ({MANAGER NO}) | {log time} | PARAM | INFO | 15/OaLogin | Password of user {USER NAME}({USER ID}) has been changed. |
- Additional Details
-
- {MANAGER NO}: Manager number running the command chanel script
- {USER NAME}: Name of the user account
- {USER ID}: Internal ID of the user account
- Test Information
-
- Open the User Administration
- Select user, and open the User characteristics panel
- Set password using the "Password" button on the panel
Workstation permission created
- ID
- SE_WORKST_PERMISSION_CREATED
- Example
WCCOAui (1), 2023.11.02 13:16:50.941, PARAM,INFO, 24/OaLogin, Workstation permission created, Workstation: MyWorkstationPermission, Group: MyGroup, Authorization level: 11111111 11111111 11111111 11111110
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOAui (1) | {log time} | PARAM | INFO | 24/OaLogin | Workstation permission created, Workstation: {WORKSTATION}, Group: {GROUP}, Authorization level: {AUTHORIZATION_LEVEL} |
- Additional Details
-
- {WORKSTATION}: Name of the workstation permission
- {GROUP}: Name of the user group
- {AUTHORIZATION_LEVEL}: Name permission for user group
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Create a new user group or select an existing one in User administration panel
- Create the new workstation permission
Workstation permission deleted
- ID
- SE_WORKST_PERMISSION_DELETED
- Example
WCCOAui (1), 2023.11.02 13:17:06.806, PARAM,INFO, 25/OaLogin, Workstation permission deleted, Workstation: MyWorkstationPermission, Group: MyGroup
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOAui (1) | {log time} | PARAM | INFO | 25/OaLogin | Workstation permission deleted, Workstation: {WORKSTATION} |
- Additional Details
-
- {WORKSTATION}: Name of the workstation permission
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Create a new user group or select an existing one in User administration panel
- Delete the workstation permission
_auth config has been changed
- ID
- SE_AUTHCONFIG_CHANGED
- Example
WCCILevent (0), 2023.11.15 15:08:17.696, SYS, INFO, 255, _auth config for System1:_Users.:_auth._default._read has been changed
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCILevent (0) | {log time} | SYS | INFO | 255 | _auth config for {NAME} has been changed |
- Additional Details
-
- {NAME}: Name of the data-point and config that were changed
This event is issued when changing an _auth config (adding _auth config, removing _auth config, changing access rights/permissions) of an internal (that is for WinCC OA system relevant) data point.
Access rights can be applied to following configs:
- _address
- _alert
- _alert_class
- _alert_hdl
- _archive
- _cmd_conv
- _corr
- _default
- _distrib
- _dp_fct
- _general
- _lock
- _logger
- _msg_conv
- _original
- _pv_range
- _smooth
- _u_range
- Test Information
-
Open PARA and select the _Users data-point. Select the _auth config and change something and click Apply/OK.
COMMUNICATION INTEGRITY
Log messages for communication and connection events (Manager connection)
Start Manager
- ID
- SE_MANAGER_START
- Example
WCCOActrl (2), 2023.03.14 12:18:20.232, SYS, INFO, 1, Manager Start, PROJ, SecurityEvents3.20, V 3.20 - 3.20 final platform Windows AMD64 linked at Feb 8 2023 08:27:48 (a0f2bb6075f)
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
{MANAGER TYPE} ({MANAGER NO}) | {log time} | SYS | INFO | 1 | Manager Start, PROJ, {project name}, V {version} platform {platform} linked at {linked date} ({commit id}) |
- Additional Details
-
- {MANAGER TYPE}: Type of manager, e.g. WCCOActrl or WCCOAevent
- {MANAGER NO}: Manager number
It indicates the start of one of the manager components (e.g. Data Manager, Event Manager, Control Manager, etc.). Dependent on the project context multiple starts within short time (some minutes) can indicate a severe deviation like repeated crashes or unauthorized access with trial starts. The WCCOAdatabg (data background manager) is stopped and started at every online backup, so these messages do not indicate a deviation.
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Start one manager (eg. WCCOAdata) manually
Start Proxy Manager
- ID
- SE_MXPROXY_START
- Example
WCCILproxy (1), 2023.09.29 12:19:12.422, SYS, INFO, 220, Multiplexing proxy Start, PROJ, SecurityEvents3.20, V 3.20 - 3.20 final platform Windows AMD64 linked at Sep 29 2023 12:19:02 (29e85fd5be6)
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCILproxy (1) | {log time} | SYS | INFO | 220 | Multiplexing proxy Start, PROJ, {project name}, V {version} platform {platform} linked at {linked date} ({commit id}) |
- Additional Details
-
The Proxy Manager Start event message delivers multiple information about the module version, patch and link information.
This message indicates the start of the Proxy manager. It is similar to the Manager Start message but has an own Event ID.
Dependent on the project context multiple starts within short time (some minutes) can indicate a severe deviation like repeated crashes or unauthorized access with trial starts. - Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Start Proxy manager manually
Stop Manager
- ID
- SE_MANAGER_STOP
- Example
WCCILdata (0), 2023.05.04 12:00:59.812, SYS, INFO, 2, Manager Stop
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
{MANAGER TYPE} ({MANAGER NO}) | {log time} | SYS | INFO | 2 | Manager Stop |
- Additional Details
-
- {MANAGER TYPE}: Type of manager, e.g. WCCOActrl or WCCOAevent
- {MANAGER NO}: Manager number
This event should be paired to its Manager Start event. A missing stop event indicates abnormal termination due to a crash or intentionally forced stop. The WCCOAdatabg (data background manager) is stopped and started at every online backup, so these messages don't indicate a deviation.
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Start one manager (eg. WCCOAdata) manually
- Stop this manager (eg. WCCOAdata) manually with normal termination
Stop Proxy Manager
- ID
- SE_MXPROXY_STOP
- Example
WCCILproxy (1), 2023.09.29 12:20:04.892, SYS, INFO, 221, Multiplexing proxy Stop
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCILproxy (1) | {log time} | SYS | INFO | 221 | Multiplexing proxy Stop |
- Additional Details
-
This event indicates the regular stop of the Proxy manager and is written after cleanup of internal data and after termination of all its connections.
This message is similar to the Manager Stop message but has an own Event ID.
This event should be paired to its Proxy Manager Start event. A missing stop event indicates abnormal termination due to a crash or intentionally forced stop. - Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Start Data, Event and Proxy manager manually
- Stop Proxy manager manually with normal termination
NETWORK AND SECURITY CONFIGURATION SETTINGS
Log messages for network and security configuration settings (http and proxy messages, authorization configuration changes)
Audit configuration changed
- ID
- SE_AUDIT_CFG_CHANGED
- Example
WCCILproxy (1), 2023.11.21 10:11:35.929, PARAM,INFO, 1/ContinuousMonitoring, Audit config entry changed, SE_LOGOFF ("Logoff") Security Log: TRUE
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
{WCCOA Manager} ({manager number}) | {log time} | PARAM | INFO | 1/ContinuousMonitoring | Security Events configuration entry changed |
- Additional Details
-
This event is issued by a WinCC OA manager when reloading a different config file in runtime.
The event is not shown at manager start, only on config reload events.
The event is shown by all the managers.
{DETAILS}: The details of the change
- Test Information
-
How to force the SE_AUDIT_CFG_CHANGED event within a running WinCC OA project:
Change and save the configuration in the Security Events wizard.
Audit data saved
- ID
- SE_AUDIT_DATA_SAVED
- Example
WCCOAui (1), 2023.11.21 10:11:34.051, PARAM,INFO, 2/ContinuousMonitoring, Audit configuration was saved
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOAui ({manager number}) | {log time} | PARAM | INFO | 2/ContinuousMonitoring | Security Events configuration was saved |
- Additional Details
- This event is issued by a WinCC OA Ui Manager when the user saves a config file in the Security Events wizard.
- Test Information
-
How to force the SE_AUDIT_DATA_SAVED event within a running WinCC OA project:
Change and save the configuration in the Security Events wizard.
Authorized HTTP connect
- ID
- SE_HTTPAUTH_AUTH
- Example
WCCOActrl (2), 2023.12.04 10:59:15.467, PARAM,INFO, 11/http, Authorized connect from para@md639abc.etm.net, /_info
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (2) | {log time} | PARAM | INFO | 11/http | Authorized connect from {user}@{peer host}, {uri} |
- Additional Details
-
- {user}: User attempting connection
- {peer host}: Host name of connecting peer
- {uri}: Requested uri without query parameters
- Test Information
-
Login with valid credentials (login panel) while serverside authentication and httpAuth are activated.
Cannot find Host in Hostlist
- ID
- SE_CANNOT_FIND_HOST_IN_HOSTLIST
- Example
WCCILproxy (1), 2024.04.04 15:33:06.201, PARAM,WARNING, 209, Cannot find the host in the list of the allowed-hosts: (8.8.8.8:4897)
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCILproxy (1) | {log time} | PARAM | WARNING | 209 | Cannot find the host in the list of the allowed-hosts: ({HOSTNAME}:{PORT NUMBER}) |
- Additional Details
-
- {HOSTNAME}: Hostname of the server that the connection attempt should reach
- {PORT NUMBER}: Port number that was opened for network communication (see TCP/IP protocol information)
- Test Information
-
Configure the project using config entry [general]mxProxy; try to connect to a server that has no corresponding proxy entry of its hostname in the server configuration file.
Certificate Chain Prefix mismatch
- ID
- SE_CERTIFICATE_CHAIN_PREFIX_MISMATCH
- Example
WCCOActrl (2), 2024.04.04 15:42:22.090, PARAM,SEVERE, 254, Required chainPrefix: root-cert, received: IOWA-CA;rsa.expired;.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (2) | {log time} | PARAM | SEVERE | 254 | Required chainPrefix: {PREFIX}, received: {BAD PREFIX}. |
- Additional Details
-
- {PREFIX}: Required prefix
- {BAD PREFIX}: Certificate prefix
This event indicates an erroneous or malicious connection attempt from remote.
- Test Information
-
Contact proxy from network using a certificate with a wrong issuer.
Certificate expired
- ID
- SE_CERTIFICATE_EXPIRED
- Example
WCCILproxy (1), 2024.04.05 10:05:03.447, PARAM,WARNING, 218, Certificate /C=AT/ST=Burgenland/O=ETM/OU=IOWA/CN=IOWA-CA/emailAddress=info@etm.at is expired.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
{WCCOA Manager or proxy} ({number}) | {log time} | PARAM | WARNING | 218 | Certificate {CERTIFICATE DETAIL} is expired. |
- Additional Details
-
{CERTIFICATE DETAIL}: detailed infos of the certificate
This event is issued by any of the WinCC OA processes (server, clients or Proxy) in case of a certificate that was not exchanged in time so that the current date exceeded the certificate expiration date. This event indicates an inattentive project security management.
- Test Information
-
Connect event manager via network using a certificate that has the expire date set to a date in the past.
Certificate Verification failed
- ID
- SE_CERTIFICATE_VERIFICATION_FAILED
- Example
WCCILdataSQLite(0), 2024.04.04 14:26:20.488, PARAM,SEVERE, 219, Certificate verification failed, due to: invalid certificate verification context. WCCOActrl (2), 2024.04.04 14:33:50.134, PARAM,SEVERE, 219, Certificate /C=AT/ST=Burgenland/L=Eisenstadt/O=ETM/OU=RD/CN=root-cert verification failed, due to: self-signed certificate in certificate chain.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
{WCCOA Manager or proxy} ({number}) | {log time} | PARAM | SEVERE | 219 | Certificate {CERTIFICATE DETAIL} verification failed, due to: {DETAIL}. |
- Additional Details
-
{CERTIFICATE DETAIL}: Detail information of certificate
{DETAIL} can be either one or multiple texts of:
"invalid certificate verification context"
"CERT_TRUST_IS_NOT_TIME_VALID"
"CERT_TRUST_IS_PARTIAL_CHAIN"
"CERT_TRUST_IS_REVOKED"
"CERT_TRUST_IS_NOT_SIGNATURE_VALID"
"CERT_TRUST_IS_NOT_VALID_FOR_USAGE"
"CERT_TRUST_IS_UNTRUSTED_ROOT"
"CERT_TRUST_IS_CYCLIC"
"CERT_TRUST_INVALID_EXTENSION"
"CERT_TRUST_INVALID_POLICY_CONSTRAINTS"
"CERT_TRUST_INVALID_BASIC_CONSTRAINTS"
"CERT_TRUST_INVALID_NAME_CONSTRAINTS"
"CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT"
"CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT"
"CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT"
"CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT"
"CERT_TRUST_IS_OFFLINE_REVOCATION"
"CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY"
"CERT_TRUST_IS_EXPLICIT_DISTRUST"
"CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT"
"unknown error: " + some error value
...
This event is issued by one of the WinCC OA Managers or Proxy in case of a general certificate error. The description contains the details, for example: certificate chain broken, untrusted root, certificate is revoked, ...
It indicates an erroneous or malicious connection attempt from remote.
- Test Information
-
Connect to event manager via network using an invalid certificate (e.g. revoked or broken certificate).
Open HTTP Port
- ID
- SE_HTTPPORT
- Example
WCCOActrl (2), 2023.05.04 12:05:05.157, SYS, INFO, 2/http, Server listens on Port https:// - 443. WCCOActrl (2), 2023.05.04 12:05:05.157, SYS, INFO, 2/http, Server listens on Port http:// - 80.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (2) | {log time} | SYS | INFO | 2/http | Server listens on Port {HTTP TYPE}:// - {PORT NO}. |
- Additional Details
-
- {HTTP TYPE}: http or https (encrypted http) format
- {PORT NO}: Port number that was opened for network communication (see TCP/IP protocol information)
- Test Information
-
Start Control Manager manually either using a script that calls the httpServer() function or using webclient_http.ctl script
Open Port from Node.js
- ID
- SE_NODEJS_PORT
- Example
node (3), 2023.12.07 14:31:49.307, SYS, INFO, 1/javascript, Server listens on Port https:// - 443. node (3), 2023.12.07 14:31:49.307, SYS, INFO, 1/javascript, Server listens on Port sftp:// - 22.
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
node (3) | {log time} | SYS | INFO | 1/javascript | Server listens on Port {PROTOCOL}:// - {PORT NO}. |
- Additional Details
-
- {PROTOCOL}: protocol used for the port
- {PORT NO}: Port number that was opened for network communication (see TCP/IP protocol information)
- Test Information
-
Start JavaScript Manager manually using a script that calls reportOpenPort() on the WinccoaManager instance in JavaScript
Unauthorized HTTP connect
- ID
- SE_HTTPAUTH_UNAUTH
- Example
WCCOActrl (2), 2023.12.04 10:28:55.005, PARAM,WARNING, 7/http, Unauthorized connect from para@md639abc.etm.net, /_info
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (2) | {log time} | PARAM | WARNING | 7/http | Unauthorized connect from {user}@{peer host}, {uri} |
- Additional Details
-
- {user}: User attempting connection
- {peer host}: Host name of connecting peer
- {uri}: Requested uri without query parameters
- Test Information
-
Login with invalid credentials (login panel) while serverside authentication and httpAuth are activated.
Unauthorized HTTP connect from root
- ID
- SE_HTTPAUTH_UNAUTH_ROOT
- Example
WCCOActrl (2), 2023.12.04 10:51:10.428, PARAM,WARNING, 8/http, Unauthorized connect from root@md639abc.etm.net; 'root' is no valid account for http server, /_info
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOActrl (2) | {log time} | PARAM | WARNING | 8/http | Unauthorized connect from root@{peer host}; 'root' is no valid account for http server, {uri} |
- Additional Details
-
- {peer host}: Host name of connecting peer
- {uri}: Requested uri without query parameters
- Test Information
-
Login with the root user (login panel) while serverside authentication and httpAuth are activated.
USER IDENTIFICATION AND AUTHENTICATION
Log messages for IACS User Identification and Authentication (login and OS authentication)
Failed Login
- ID
- SE_NETWORK_UNSUCCESSFUL_LOGON
- Example
WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,SEVERE, 201/OaLogin, Failed Login, User: root
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOAui (2) | {log time} | PARAM | SEVERE | 201/OaLogin | Failed Login, User: {USER} |
- Additional Details
-
- {USER}: Name of the attempting user
Multiple occurrences of this event in a short time can indicate attempts of unauthorized access to the System.
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Add a WCCOAui Manager with following options: "-p vision/login.pnl"
- Start this manager and enter invalid user credentials into the panel and click the login-button
Logoff
- ID
- SE_LOGOFF
- Example
WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,INFO, 202/OaLogin, Logoff, User: root
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOAui ({manager number}) | {log time} | PARAM | INFO | 202/OaLogin | Logoff, User: {USER} |
- Additional Details
-
- {USER}: Name of the logged off user
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Configure the PanelTopology in a way that it is possible to logoff e.g. Template: "ETMMENU"
- Add a WCCOAui Manager with following options: "-p vision/login.pnl"
- Start this manager and enter valid user credentials into the panel and click the login-button
- Logoff via the panel
Successful Login
- ID
- SE_NETWORK_SUCCESSFUL_LOGON
- Example
WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,INFO, 200/OaLogin, Successful Login, User: root
Source | Time Stamp | Category | Type | EventID | Log Message |
---|---|---|---|---|---|
WCCOAui (2) | {log time} | PARAM | INFO | 200/OaLogin | Login successful, User: {USER} |
- Additional Details
-
- {USER}: Name of the logged in user
- Test Information
-
- Open WinCC OA administrator
- Create a new project or select an existing one
- Start WinCC OA console
- Add a WCCOAui Manager with following options: "-p vision/login.pnl"
- Start this manager and enter valid user credentials into the panel and click the login-button